Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Simple Security Flaws Could Steer Ships Off Course

A PoC shows how ships could be hacked and fooled into changing direction – all due to simple security issues.

A proof-of-concept attack could cause ships to dangerously veer off course, and it all stems from simple security issues, including the failure to change default passwords or segment networks.

Researcher Ken Munro, with Pen Test Partners, on Monday showed how the attack could work and how it’s possible to manipulate a ship’s steering, propulsion, ballast and navigation data. The attack focused on targeting the devices that serve as a “bridging point” between the operational technology (OT) and IP networks.

“We’ve shown before how it’s relatively straightforward to compromise the business network through the satcom terminal if basic security controls aren’t in place. However, affecting the OT systems requires additional work,” he said in a post.

The weaknesses Munro found stem from several vulnerable IP network devices on ships – which are used in business systems, crew mail and web browsing. Researchers point out they all exist on the same network behind operational devices.

There are several of these “bridging points” on ships, said Munro – including the Electronic Chart Display and Information System (ECDIS), Voyage Data Recorder, synthetic radar, and sometimes the Automatic Tracking System (AIS) transponder.

For the proof of concept, researchers focused on serial-IP converters, including those made by Moxa and Perle Systems, which are used to send serial data over IP/Ethernet networks’ cabling. Researchers were able to use a ThinkPad running Kali Linux (Debian-derived Linux distribution designed for penetration testing and digital forensics) to look at the data running through the serial-to-IP converters.

These converters have an array of security issues if not updated, he said. The web interface for configuration generally have default credentials – which ironically are published by the manufacturers on their own websites, the researcher said.

“Once you’ve got the password, you can administrate the converter,” wrote Munro. “That means complete compromise and control of the serial data it is sending to the ships engine, steering gear, ballast pumps or whatever.”

Even if the passwords have been changed, the converter is still susceptible to attack. Alarmingly, the Moxa converter firmware also contains a known security flaw (CVE-2016-9361) that enables hackers to use Metasploit modules (a tool for developing and executing exploit code against a remote target machine) to recover the administrator password – even if it has already been changed.

The vulnerability has a CVSS score of 7.5 and impacts an array of Moxa versions, including several versions of the Nport 5100 firmware and the Nport 5200 series firmware.

Once a hacker gains the admin credentials, they are able to launch an insidious man-in-the-middle attack – essentially injecting false GPS data into the various systems on the bridge, said Munro.

Attackers may be able to route serial traffic through their attack laptop and inject a filter, modifying the GPS location data being fed to the ECDIS.

Ultimately, if the the Electronic Chart Display and Information System is in “Track Control’ mode (which is autopilot) then the hacker can fool it and cause the ship to change direction, said Munro.

Insecure Shipping

Researchers have long warned about the vulnerabilities and security issues afflicting the shipping industry. Pen Test Partners earlier this month released a number of other PoC attacks demonstrating an array of methods for disrupting the shipboard navigation systems.

In a similar PoC example, Munro showed how an adversary could access the ship’s IT infrastructure and then fool the ECDIS into thinking that the GPS receiver was in a different location on board – and the system could then essentially “correct” the course, sending the ship in the wrong direction.

Beyond PoC, hackers seem to have set their eyes on the shipping industry – Dell SecureWorks Counter Threat Unit in April identified a hacking group behind several prolific business email compromise attacks gouging the maritime shipping industry millions of dollars since last year, dubbed Gold Galleon.

Attackers were taking advantage of the industry’s lax security and the use of outdated computers, SecureWorks said.

Mitigations

Mitigations for this type of attack include changing passwords from default, keeping serial device software up to date, and, enable and configure encrypted communications.

Many newer serial-to-IP converters support SSH or similar traffic encryption, making man-in-the-middle attacks more difficult, said Munro.

Most importantly, segregating vessel networks is key. “This applies to both the IP and serial networks. Serial networks are often overlooked as there are often different teams responsible for IT and OT networks,” said Munro. “My experience from utilities suggests that IT and OT network personnel often don’t work together closely, leading to misunderstandings and allowing security holes to creep in.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.